The code of today's programs, including malicious ones, can include a complex set of instructions: shifts, calls, cycles, etc. Further, the complexity of executable files is constantly increasing, due to the growing popularity of high-level programming languages and to the increasing sophistication of computer equipment and operating systems. Such complexity applies to both trusted and malicious applications alike. Malicious applications can perform a number of negative and undesirable (from the user's point of view) actions. Examples of such actions are: theft of passwords and other confidential user data, connection of a computer to a bot network in order to make DDoS attacks or to send spam, or blockage of the system operation in order to extort money.
AutoIt is a freeware programming language for the automation of tasks in Microsoft Windows. In early versions, software written in AutoIt was primarily used to create automation scripts for Microsoft Windows programs. Automation scripts are useful for performing repetitive tasks, like installation of identical program sets on a large number of computers. In later versions of AutoIt, the functionality of the language substantially increased, which brought AutoIt closer to general-purpose programming languages. A script written in the AutoIt language can be compiled into an executable file independent of any libraries. Virus writers have understandably been attracted to the AutoIt script language because of the broad capabilities of the language and the final form of representation of a script as an executable file, which is convenient for distribution.
As a result, detecting malicious objects in executable files compiled in the AutoIt script language is necessary for computing security. In one example, applying traditional signature-based methods of detection of malicious objects to executable files compiled in the AutoIt script language is difficult. In such methods, the script may be obfuscated and the executable file itself may be adversely packed by compressing and/or encrypting the executable file and by attaching a code to it, which is needed for unpacking and execution. In another example, traditional heuristic methods to detect malicious objects (in particular, emulation of such executable files) are also ineffective. In such methods, the presence of an interpreter (an unchangeable part of any executable file containing an AutoIt script), comprises very slow emulation operations. As a result, virus writers can easily prevent detection by making the interpreter perform many useless actions. Virus writers can also easily counter traditional systems for detection of malicious objects based on the launch of an executable file on a virtual machine. For example, a simple pause in the execution (a call for the Sleep command, for example) and large useless cycles in the script code are not used by the detection system in order to issue a verdict; rather, the system completes the examination upon expiry of an allocated time (operation timeout) before the malicious object begins performing malicious actions. In such cases, the size of the execution log of such a file can reach gigabytes.
Therefore, there is a need for systems and methods for the efficient detection of malicious executable files having a script language interpreter.